IFrames Resurface as Popular Attack Vector for Hackers

Security experts warn of rise in "poisoning" of thousands of Web pages via iFrame exploit.

There was a time when end users and IT shops could avoid remote code execution exploits by simply patching vulnerable applications, staying away from questionable URLs and not opening suspicious e-mail attachments.

But security experts warn that this period may be coming to an end, particularly in light of recent widespread attacks against several hundred thousand Web pages and what one researcher, Dancho Danchev, called the "poisoning" of more than a million search queries with loadable inline frames, or what's commonly known as iframes.

"What we're seeing is an old idea -- hacking for profit -- with a relatively recent distribution point, the iframe," said Don Leatham, senior director of solutions at Scottsdale, Ariz.-based Lumension Security. "The hackers are able to set the expectation that you're on a trusted site that is recommending you download a particular software or directing you to bogus address, anything to reel you in and then use the old Trojan uploads like .Zlob."

The recent attacks, which began in the beginning of March and continued through last week, affected some of the Web's most frequented destinations, including, ABC News' homepage, and others.

Hackers have done this sort of thing in the past through phishing or "masquerade ball" attacks using, for example, URLs that are off by one letter or Web pages that pose as legitimate sites linking to eBay or PayPal. But observers say this new approach is different and more effective because the user is tricked into thinking they've never left their trusted Web address.

This is because iframes are hypertext mark-up language (html) elements that enable hackers to embed specially crafted and malicious Web-language-based files inside a seemingly benign Web interface. The iframes are supposed to be used to subdivide content of a given Web site. One of the more common uses of iframes is creating an advertisement or sidebar URL that might pop up on a homepage without one having to leave that homepage.

Security practitioners say such attacks are especially effective in browsers such as Internet Explorer.

"This is concerning because this could impact a user if they visit what they believe to be a legitimate Web site or search engine," said Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "Users have thus far been conditioned to be careful when visiting potentially questionable Web sites. Now that legitimate Web sites are being impacted, you can no longer mitigate the risk by saying 'be careful where you surf.'"

Both Schultze and Lumension's Leatham said they would encourage enterprise security specialists to lock down the network at the firewall level, confining workstations only to sites that are pertinent to business in the event all else fails.

Meanwhile, for managers of computer processing environments who wish to take a less stringent approach, keeping up with the latest anti-virus and anti-malware signatures as well as patches, such as those form Microsoft, is also a good approach.

"It's a good bet that we'll see a lot more of this style attack in the future," said Schultze.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.